AI Threat Alert AI Threat Alert

CVE-2020-15190: TensorFlow: null ptr deref DoS via Switch op eager runtime

MEDIUM PoC AVAILABLE
Published September 25, 2020
CISO Take

CVE-2020-15190 allows an unauthenticated remote attacker to crash TensorFlow processes by triggering the Switch op through the eager runtime, resulting in a segmentation fault. If you are running any TensorFlow version below 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1, upgrade immediately — patches have been available since September 2020. Any internet-exposed TensorFlow inference endpoint accepting arbitrary operator inputs is directly at risk of availability loss.

Risk Assessment

Medium risk overall, but operationally significant for AI/ML deployments with network-exposed inference endpoints. CVSS 5.3 reflects the network-reachable (AV:N), zero-privilege (PR:N), low-complexity (AC:L) attack path against availability only (A:L). No confidentiality or integrity impact reduces urgency, but the crashability of a production inference service without authentication required is a meaningful operational risk. Given the 2020 publication date and patched status, residual risk exists only in unpatched legacy TF deployments.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
leap No patch

Severity & Risk

CVSS 3.1
5.3 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 40% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A Low

Recommended Action

5 steps

  1. PATCH

    Upgrade to TensorFlow >= 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 per your branch. Commit da8558533d is the fix reference.

  2. VERIFY

    Audit all production TF version pins in requirements.txt, Dockerfiles, and conda envs — legacy ML projects frequently pin old TF versions.

  3. SEGMENT

    If patching is delayed, isolate TensorFlow inference services from direct internet exposure behind an API gateway that validates inputs before forwarding. Reject requests containing raw op definitions from untrusted callers.

  4. DETECT

    Monitor for abnormal process crashes or segfaults in TensorFlow serving processes; repeated crashes from the same source IP are an indicator of exploitation attempts.

  5. CONTAIN

    Run TensorFlow inference processes in containers with restart policies so that a crash does not result in prolonged outage.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.3 - AI system security
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI
OWASP LLM Top 10
LLM09 - Overreliance

Frequently Asked Questions

What is CVE-2020-15190?

CVE-2020-15190 allows an unauthenticated remote attacker to crash TensorFlow processes by triggering the Switch op through the eager runtime, resulting in a segmentation fault. If you are running any TensorFlow version below 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1, upgrade immediately — patches have been available since September 2020. Any internet-exposed TensorFlow inference endpoint accepting arbitrary operator inputs is directly at risk of availability loss.

Is CVE-2020-15190 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15190, increasing the risk of exploitation.

How to fix CVE-2020-15190?

1. PATCH: Upgrade to TensorFlow >= 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 per your branch. Commit da8558533d is the fix reference. 2. VERIFY: Audit all production TF version pins in requirements.txt, Dockerfiles, and conda envs — legacy ML projects frequently pin old TF versions. 3. SEGMENT: If patching is delayed, isolate TensorFlow inference services from direct internet exposure behind an API gateway that validates inputs before forwarding. Reject requests containing raw op definitions from untrusted callers. 4. DETECT: Monitor for abnormal process crashes or segfaults in TensorFlow serving processes; repeated crashes from the same source IP are an indicator of exploitation attempts. 5. CONTAIN: Run TensorFlow inference processes in containers with restart policies so that a crash does not result in prolonged outage.

What systems are affected by CVE-2020-15190?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference.

What is the CVSS score for CVE-2020-15190?

CVE-2020-15190 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.19%.

Technical Details

NVD Description

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `tf.raw_ops.Switch` operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, one of the tensors is exactly the input tensor whereas the other one should be an empty tensor. However, the eager runtime traverses all tensors in the output. Since only one of the tensors is defined, the other one is `nullptr`, hence we are binding a reference to `nullptr`. This is undefined behavior and reported as an error if compiling with `-fsanitize=null`. In this case, this results in a segmentation fault The issue is patched in commit da8558533d925694483d2c136a9220d6d49d843c, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

An adversary targeting an organization's AI inference API constructs a malicious inference request that invokes the tf.raw_ops.Switch operation with a specific boolean value causing the output tensor at the inactive branch to be nullptr. When the eager runtime iterates over both output tensors as part of its traversal logic, it dereferences the null pointer, triggering a segmentation fault that crashes the TensorFlow serving process. In a Kubernetes or containerized environment without proper restart policies, this could result in sustained unavailability of the inference endpoint. In a shared multi-tenant ML platform, an attacker with model execution access could crash the inference worker affecting other tenants. The attack requires only the ability to send inference requests — no authentication, no elevated privileges.

Weaknesses (CWE)

CWE-476 Primary CWE-20 CWE-476

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

Timeline

Published
September 25, 2020
Last Modified
November 21, 2024
First Seen
September 25, 2020

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed